Windows – Allow Windows Domain users Local Admin rights on subset of Domain Computers

You can place the users from the "parent" domain into a global group in the parent domain, then nest that global group into the "Administrators" domain local group in the "child" domain. That will give you the functionality you're looking for (assuming a stock set of AD permissions on the child domain). "Administrators" gets named with the same rights as "Domain Admins" in all the permissions on the AD.

As far as permissions on shares and such that you've created-- that's your problem. >smile<

Edit:

The "BUILTIN\Administrators" group in the child domain does have the same rights to Active Directory as the "Domain Admins" group in the Active Directory. You're not talking about rights to Active Directory in your comment-- you're talking about a default group nesting that gets performed on the Local Users and Groups on member computers. The kind of thing you commented on is what I mean when I said "that's your problem". It's an easy one to fix, too.

This is a job for "Restricted Groups" policy!

So, let's say that you want to modify the behaviour of the local "Administrators" group nesting domain-wide in the child domain.

• Create and link a GPO at the root of the child domain (actually, link it to a sub-OU with a test computer in it first, then when you know it's working, link it to the root of the domain).
• In that GPO, open "Computer Settings", then "Windows Settings", "Security Settings", and "Restricted Groups".
• Right-click "Restricted Groups" and do an "Add Group".
• Click "Browse" in the "Add Group" dialog, key in "Administrators" (not "Domain Admins" or anything else), and click "Check Name" and "OK". Click "OK" to dismiss the "Add Group" dialog.
• In the "Administrators Properties" dialog, click the "Add" button at the top, beside the "Members of this Group" list-box.
• Click "Browse" in the "Add Member" dialog and key in "Domain Admins" and click "Check Name" and "OK". In the "Add Member" dialog, you'll see "CHILDDOMAINNETBIOSNAME\Domain Admins" listed. Click "OK".
• In the "Administrators Properties" dialog, click the "Add" button at the top, beside the "Members of this Group" list-box again.
• Click "Browse" in the "Add Member" dialog and key in the name of the global group in the parent domain that you created to hold users who are getting "Administrator" rights in the child domain. Before you click "Check Name", click "Locations" and choose your parent domain in the "Locations" dialog and click "OK". Then click "Check Name" and "OK". In the "Add Member" dialog, you'll see "PARENTDOMAINNETBIOSNAME\Group name you created" listed. Click "OK".

When this GPO applies to computers, their local "Administrators" group will get the groups "CHILDDOMAINNETBIOSNAME\Domain Admins" and "PARENTDOMAINNETBIOSNAME\Group name you created" nested into it automatically.

Create a group to encapsulate the users (Local-Admins-Tablets) and add them to this group

Create a sub-OU of the current workstations OU and put the tablets in here (Workstations\Tablets)

Create a GPO (Local-Admins-Tablets-Policy) and link it to the Workstations\Tablets OU

In the GPO, set the following:

• Comp Config - Policies - Windows Settings - Security Settings - Restricted Groups
• Right click, Add Group
• "Administrators", OK
• Members of this Group: myDomain\Local-Admins-Tablets

Reboot the PCs, and done.

Bear in mind that setting Restricted Groups will overwrite the machines existing list of local Administrators. If you have other users/groups in there already, you will need to add them to this policy too. Other examples would be myDomain\Domain Admins etc

EDIT: Oh, and change the filtering on the GPO and add Domain Computers. The easiest way to do this is to use the Group Policy Management MMC snapin (you can get this from the Remote Server Administration Tools from Microsoft)